README
¶
ACL plugin
The aclplugin is a Core Agent Plugin designed to configure ACL in the VPP.
Configuration managed by this plugin is modelled by acl proto file.
The configuration must be stored in ETCD using following keys:
/vnf-agent/<agent-label>/vpp/config/v1/acl/<acl-name>
JSON configuration example with vpp-agent-ctl
An example of basic ACL configuration in JSON format can be found with rules for MACIP, TCP, UDP
Built-in configuration example with vpp-agent-ctl
The vpp-agent-ctl binary also ships with some simple predefined acl configurations.
It is meant to be used solely for testing purposes.
To configure a new acl acl1, use:
vpp-agent-ctl /opt/vpp-agent/dev/etcd.conf -acl
To delete the acl, use:
vpp-agent-ctl /opt/vpp-agent/dev/etcd.conf -acld
Documentation
¶
Overview ¶
Package aclplugin implements the ACL Plugin that handles management of VPP Access lists.
Index ¶
- Constants
- type ACLConfigurator
- func (c *ACLConfigurator) Close() error
- func (c *ACLConfigurator) ConfigureACL(acl *acl.AccessLists_Acl) error
- func (c *ACLConfigurator) DeleteACL(acl *acl.AccessLists_Acl) (err error)
- func (c *ACLConfigurator) DumpIPACL() (acls []*acl.AccessLists_Acl, err error)
- func (c *ACLConfigurator) DumpMACIPACL() (acls []*acl.AccessLists_Acl, err error)
- func (c *ACLConfigurator) GetL2AclIfIndexes() aclidx.ACLIndexRW
- func (c *ACLConfigurator) GetL3L4AclIfIndexes() aclidx.ACLIndexRW
- func (c *ACLConfigurator) Init(logger logging.PluginLogger, goVppMux govppmux.API, ...) (err error)
- func (c *ACLConfigurator) LogError(err error) error
- func (c *ACLConfigurator) ModifyACL(oldACL, newACL *acl.AccessLists_Acl) error
- func (c *ACLConfigurator) ResolveCreatedInterface(ifName string, ifIdx uint32) error
- func (c *ACLConfigurator) ResolveDeletedInterface(ifName string, ifIdx uint32) error
- func (c *ACLConfigurator) Resync(nbACLs []*acl.AccessLists_Acl) error
- type ACLIfCacheEntry
Constants ¶
const ( INGRESS = "ingress" EGRESS = "egress" L2 = "l2" )
Interface attribute according to the configuration
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ACLConfigurator ¶
type ACLConfigurator struct {
// contains filtered or unexported fields
}
ACLConfigurator runs in the background in its own goroutine where it watches for any changes in the configuration of ACLs as modelled by the proto file "../model/acl/acl.proto" and stored in ETCD under the key "/vnf-agent/{agent-label}/vpp/config/v1/acl/". Updates received from the northbound API are compared with the VPP run-time configuration and differences are applied through the VPP binary API.
func (*ACLConfigurator) ConfigureACL ¶
func (c *ACLConfigurator) ConfigureACL(acl *acl.AccessLists_Acl) error
ConfigureACL creates access list with provided rules and sets this list to every relevant interface.
func (*ACLConfigurator) DeleteACL ¶
func (c *ACLConfigurator) DeleteACL(acl *acl.AccessLists_Acl) (err error)
DeleteACL removes existing ACL. To detach ACL from interfaces, list of interfaces has to be provided.
func (*ACLConfigurator) DumpIPACL ¶
func (c *ACLConfigurator) DumpIPACL() (acls []*acl.AccessLists_Acl, err error)
DumpIPACL returns all configured IP ACLs in proto format
func (*ACLConfigurator) DumpMACIPACL ¶
func (c *ACLConfigurator) DumpMACIPACL() (acls []*acl.AccessLists_Acl, err error)
DumpMACIPACL returns all configured MACIP ACLs in proto format
func (*ACLConfigurator) GetL2AclIfIndexes ¶
func (c *ACLConfigurator) GetL2AclIfIndexes() aclidx.ACLIndexRW
GetL2AclIfIndexes exposes l2 acl interface name-to-index mapping
func (*ACLConfigurator) GetL3L4AclIfIndexes ¶
func (c *ACLConfigurator) GetL3L4AclIfIndexes() aclidx.ACLIndexRW
GetL3L4AclIfIndexes exposes l3/l4 acl interface name-to-index mapping
func (*ACLConfigurator) Init ¶
func (c *ACLConfigurator) Init(logger logging.PluginLogger, goVppMux govppmux.API, swIfIndexes ifaceidx.SwIfIndex) (err error)
Init goroutines, channels and mappings.
func (*ACLConfigurator) LogError ¶ added in v1.8.1
func (c *ACLConfigurator) LogError(err error) error
LogError prints error if not nil, including stack trace. The same value is also returned, so it can be easily propagated further
func (*ACLConfigurator) ModifyACL ¶
func (c *ACLConfigurator) ModifyACL(oldACL, newACL *acl.AccessLists_Acl) error
ModifyACL modifies previously created access list. L2 access list is removed and recreated, L3/L4 access list is modified directly. List of interfaces is refreshed as well.
func (*ACLConfigurator) ResolveCreatedInterface ¶
func (c *ACLConfigurator) ResolveCreatedInterface(ifName string, ifIdx uint32) error
ResolveCreatedInterface configures new interface for every ACL found in cache
func (*ACLConfigurator) ResolveDeletedInterface ¶
func (c *ACLConfigurator) ResolveDeletedInterface(ifName string, ifIdx uint32) error
ResolveDeletedInterface puts removed interface to cache, including acl index. Note: it's not needed to remove ACL from interface manually, VPP handles it itself and such an behavior would cause errors (ACLs cannot be dumped from non-existing interface)
func (*ACLConfigurator) Resync ¶
func (c *ACLConfigurator) Resync(nbACLs []*acl.AccessLists_Acl) error
Resync writes ACLs to the empty VPP.
type ACLIfCacheEntry ¶
type ACLIfCacheEntry struct {
// contains filtered or unexported fields
}
ACLIfCacheEntry contains info about interface, aclID and whether it is MAC IP address. Used as a cache for missing interfaces while configuring ACL
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package vppcalls contains wrappers over VPP ACL binary APIs and helpers to dump ACLs configured in VPP - per interface and total.
|
Package vppcalls contains wrappers over VPP ACL binary APIs and helpers to dump ACLs configured in VPP - per interface and total. |